Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#2295 closed defect (fixed)

Integer overflow and crash parsing gif files

Reported by: ggrieco Owned by: beastd
Priority: normal Component: demuxer
Version: HEAD Severity: blocker
Keywords: Cc:
Blocked By: Blocking:
Reproduced by developer: yes Analyzed by developer: no

Description

Summary of the bug:

Mplayer is crashing when playing a fuzzed gif file (attached). This bug is present in the last source snapshot (mplayer-export-2016-04-25) as well as older versions. I suspect this crash is related with an integer overflow happening just before.

How to reproduce:

$ ASAN_OPTIONS='abort_on_error=1' gdb --args ./mplayer -ao null -vo null overflow.gif
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from mplayer...done.
(gdb) r
Starting program: ./mplayer -ao null -vo null overflow.gif
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
MPlayer SVN-r37856-snapshot-4.8 (C) 2000-2016 MPlayer Team

Playing overflow.gif.
libavformat version 57.34.103 (internal)
GIF file format detected.
==836== WARNING: AddressSanitizer failed to allocate 0xffffffffe48e6289 bytes
VIDEO:  RGB]  65341x58685  8bpp  5.000 fps    0.0 kbps ( 0.0 kbyte/s)
==========================================================================
Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family
libavcodec version 57.38.100 (internal)
[IMGUTILS @ 0x555558187900]Picture size 65341x58685 is invalid
Could not open codec.
VDecoder init failed :(
Opening video decoder: [raw] RAW Uncompressed Video
Movie-Aspect is undefined - no prescaling applied.
VO: [null] 65341x58685 => 65341x58685 BGR 8-bit 
Selected video codec: [rawbgr8] vfm: raw (RAW BGR8)
==========================================================================
Load subtitles in ./

Program received signal SIGSEGV, Segmentation fault.
0x0000555555d4c1b3 in new_demux_packet (len=<optimized out>) at libmpdemux/demuxer.h:300
300	    free(dp);
(gdb) bt
#0  0x0000555555d4c1b3 in new_demux_packet (len=<optimized out>) at libmpdemux/demuxer.h:300
#1  demux_gif_fill_buffer (demuxer=0x606a00003500, ds=<optimized out>) at libmpdemux/demux_gif.c:194
#2  0x0000555555b93395 in demux_fill_buffer (ds=0x601a0000aa10, demux=0x606a00003500) at libmpdemux/demuxer.c:649
#3  ds_get_next_pts (ds=0x601a0000aa10) at libmpdemux/demuxer.c:965
#4  0x0000555555981255 in print_file_properties (filename=<optimized out>, mpctx=0x55555818bd00 <mpctx_s>) at mplayer.c:526
#5  main (argc=6, argv=0x7fffffffe4c8) at mplayer.c:3603

...

Attachments (1)

overflow.gif (65 bytes) - added by ggrieco 2 years ago.

Download all attachments as: .zip

Change History (4)

Changed 2 years ago by ggrieco

comment:1 Changed 2 years ago by rxt

  • Component changed from demuxer to undetermined
  • Reproduced by developer set
  • Version changed from unspecified to HEAD

Reproducible only with -vo null

comment:2 Changed 2 years ago by rxt

  • Component changed from undetermined to demuxer
  • Resolution set to fixed
  • Status changed from new to closed

Fixed in r37857.
The gif demuxes assumes in many places that width*height is <= INT_MAX; this is not true with the sample. Fixed by validating the picture size.

Thanks for reporting.

comment:3 Changed 2 years ago by henrisalo

For cross-reference CVE-2016-4352 was assigned for this issue in: http://www.openwall.com/lists/oss-security/2016/04/29/7

Note: See TracTickets for help on using tickets.